Accepted Answer

This is by design. The proxy is NOT enabled on the HOTLAN because if it was then users on the HOTLAN could surf the LAN. Basically, the ClearOS server is trusted to the LAN and can communicate with it freely. If you use the server as a proxy then surfing is a trusted activity for the server itself and users on the HOTLAN would be able to surf the LAN. As you stated...

"The reason for this is that the clients on the HOTLAN should not be able to see or communicate with the clients on the LAN."

Giving HOTLAN users access to the proxy means that they would be able to see and communicate with the clients on the LAN since they would be using the server as their intermediary.

You can override this behavior, however, with custom firewall rules that override the firewall redirect of ports and with overrides on the proxy server to accept proxy connections from this extra LAN but it is not part of the design nor is it a supported method because it, quite frankly, ruins the whole security paradigm of the HOTLAN.

Having a second ClearOS server just to filter your HOTLAN is a common solution. You can even virtualize it if your hardware supports that sort of thing. A service like DNSthingy would filter both networks but currently it is an either/or between this service and the content filter.